Privacy Policy
We keep this short on purpose. Here is what data Legible collects, why, and what happens to it. If anything is unclear, email privacy@legible.cv and we will sort it out.
1. Who we are
Legible is a sole proprietorship (enkeltmandsvirksomhed) registered in Denmark.
| Company name | Legible |
| CVR number | 46437179 |
| Country | Denmark |
| General contact | hello@legible.cv |
| Privacy contact | privacy@legible.cv |
Legible is the data controller for any personal data processed in connection with this service.
2. What data we collect and why
CV text and job ad text
When you paste or upload your CV and (optionally) a job ad, that text is sent from your browser directly to OpenAI and Anthropic to power the diagnosis and interview. It is never sent to or stored on Legible's own servers. It does not touch any Legible database.
Legal basis: Article 6(1)(b) GDPR, performance of a contract. You are asking us to analyse your materials, and this is how we do it.
Interview messages
The conversation you have with the AI during the interview step lives in your browser's memory for the duration of your session. It is never written to disk or any database. When you close the tab, it is gone.
Legal basis: Article 6(1)(b) GDPR.
Session data (saved before payment)
Just before you check out, a snapshot of your session is saved to temporary storage so the rebuild can be completed after payment is confirmed. This snapshot contains: your email address, your role and challenge answers, the diagnosis result, the interview transcript, your chosen CV template, and your withdrawal consent timestamp. It is deleted as soon as your rebuilt CV is delivered, or after 30 days if delivery fails for any reason.
Legal basis: Article 6(1)(b) GDPR.
Email address
We ask for your email address so we can send your rebuilt CV (and cover letter, if you ordered one). This is the only reason we collect it. It is processed by our email provider, Resend.
If you tick the marketing opt-in checkbox at checkout, your email address is also added to our mailing list in Resend Audiences. You can unsubscribe at any time using the link in any email we send, or by emailing privacy@legible.cv.
Legal basis for delivery: Article 6(1)(b) GDPR. Legal basis for marketing: Article 6(1)(a) GDPR (your consent).
Payment record
After you pay, we store a payment record indefinitely for accounting and tax purposes. This record contains: your email address, the amount paid, the products ordered, the timestamp, and the Stripe payment intent ID. We never see or store your card details. Stripe handles all of that.
Legal basis: Article 6(1)(c) GDPR, legal obligation (Danish bookkeeping law).
Analytics
We track anonymised usage events (such as which step of the flow you reached) using our own self-hosted system. No personal data is collected. Events are tied to an anonymous session ID that expires when you close the tab and cannot be linked back to you as an individual.
3. Data processors
We use a small set of third-party services to run Legible. Each has a data processing agreement (DPA) in place.
| Processor | Purpose | Country | Safeguard |
|---|---|---|---|
| OpenAI | CV diagnosis and AI interview | USA | Standard Contractual Clauses (SCCs) via OpenAI API terms |
| Anthropic | CV rebuild (Claude Sonnet) | USA | SCCs via Anthropic API terms |
| Netlify | Hosting, serverless functions, temporary blob storage | USA | SCCs via Netlify DPA |
| Resend | Email delivery and marketing list | USA | SCCs via Resend DPA |
| Stripe | Payment processing | Ireland / USA | EU adequacy (Ireland) + SCCs for US transfers |
4. How long we keep data
| Data type | Retention period |
|---|---|
| CV text and job ad text | Not stored by Legible. Sent from browser to OpenAI/Anthropic directly. |
| Interview messages | Browser memory only. Cleared when the tab closes. |
| Pre-payment session snapshot | Deleted on delivery, or after 30 days if delivery fails. |
| Rebuilt CV file (post-payment) | Deleted after delivery to your inbox. |
| Email address (delivery) | Retained in Resend delivery logs for up to 30 days, then deleted automatically. This includes the email body, which contains your rebuilt CV content. |
| Email address (marketing list) | Until you unsubscribe or withdraw consent. |
| Payment record | Indefinitely, for accounting and tax compliance. |
5. Cookies and analytics
Legible does not use cookies. None. Not for tracking, not for sessions, not for anything.
Your session state (your CV text, interview answers, template choice) is held in JavaScript memory in your browser tab. It is not written to cookies or localStorage, so it does not persist between sessions or browser restarts.
The only analytics we run is our own self-hosted event tracker, which is cookieless and collects no personal data. No consent banner is needed, and we do not show one.
6. Your rights under GDPR
Because Legible does not store your CV or interview data, most requests can be handled very quickly. Here is what you are entitled to:
Access
You can ask us what personal data we hold about you. In most cases this will be limited to your email address in our delivery logs or marketing list, and your payment record if you paid.
Correction
If something we have stored is wrong, we will fix it. Email privacy@legible.cv.
Deletion
You can ask us to delete your data. We will delete everything we can. The one exception is payment records, which we are legally required to keep for accounting purposes.
Portability
You can ask for a copy of the personal data you gave us, in a common machine-readable format. This applies to data you actively provided (such as your email address), not to data we derived from it.
Objection
You can object to processing based on legitimate interests (we do not rely on legitimate interests for any core processing). You can withdraw marketing consent at any time using the unsubscribe link in any email or by contacting us.
Complaint to the supervisory authority
If you think we have handled your data incorrectly, you have the right to lodge a complaint with Datatilsynet, the Danish data protection authority.
| Website | datatilsynet.dk |
| dt@datatilsynet.dk | |
| Phone | +45 33 19 32 00 |
We would always prefer you contact us first so we can try to resolve things directly.
7. International transfers
Several of our processors are based in the USA, which does not have an EU adequacy decision. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism. Each processor listed in Section 3 has SCCs in place as part of their standard API or DPA terms.
Stripe's primary entity is based in Ireland (an EU member state), so most payment processing is within the EEA. SCCs cover any onward transfers to US entities within the Stripe group.
8. Changes to this policy
If we make a material change, we will update the "Last updated" date at the top of this page. For significant changes that affect how we use your data, we will notify you by email if we have your address. Continuing to use Legible after a change takes effect means you have seen the updated policy.
9. Contact
For any privacy question, data request, or concern, contact us at privacy@legible.cv. We aim to respond within five business days.